Technical Article - eSIMs, Corporate Devices and MDM (Mobile Device Management)
eSIMs, Corporate Devices & MDM: A Technical Deep Dive
Understanding how eSIM technology behaves on managed devices — and what you can (and can’t) do about it.
What is an eSIM (and Why It Matters)
An eSIM (embedded SIM) is a digitally programmable SIM built directly into your device. Unlike traditional SIM cards, it uses Remote SIM Provisioning (RSP) to download carrier profiles over the air, powered by the eUICC architecture (internal chip with appropriate firmware in your phone, tablet and some laptops - that support eSIM technology).
This allows multiple network profiles to be stored on a single device and activated as needed — a major advantage for travellers, enterprise deployments, and dual-line setups.
From a security perspective, eSIMs are highly tamper-resistant and cannot be physically removed or cloned, making them particularly attractive for corporate environments and device fleets.
How eSIM Installation Actually Works
At a technical level, installing an eSIM involves securely downloading a carrier profile from a provisioning server (SM-DP+). This process includes:
- Device authentication with the carrier
- Encrypted profile download
- Secure installation into the eUICC chip
- Activation of the selected profile
In consumer scenarios, this is typically triggered by scanning a QR code or auto install link. In enterprise environments, this can be automated via provisioning systems or Mobile Device Management (MDM) platforms.
Some ecosystems (like Apple Business Manager or Microsoft Intune) allow eSIM profiles to be deployed silently in the background during device setup or enrolment.
Key eSIM Limitations (That Catch People Out)
1. One-Time Installation Rules
Many eSIM profiles are single-use. Once deleted, they cannot be reinstalled without issuing a new profile. This is a deliberate security design to prevent sharing or duplication.
2. Device Binding
eSIM profiles are often tied to a specific device (via EID). This means:
- You cannot freely transfer profiles between devices
- Switching phones may require a new eSIM
3. Limited Profile Storage
While multiple profiles can be stored, devices have finite eUICC storage. Only one (or two) can be active at the same time (much like a dual physical SIM phone).
💡 Did you know? Most modern phones can store between 2-20 eSIMs, but use 1-2 at the same time.
4. Carrier & Regional Restrictions
Not all carriers support eSIM equally, and availability can vary by country, plan type, and device model.
Corporate Devices & MDM: Why Things Get Complicated
When a device is enrolled in a Mobile Device Management (MDM) system, control shifts from the user to the organisation.
MDM platforms (such as Microsoft Intune or enterprise Apple deployments) can:
- Push or restrict eSIM installations
- Block adding or removing cellular plans
- Control which carriers can be used
- Disable local SIM/eSIM management entirely
- Block or severely restrict 3rd party apps (eg eSIM providers that use apps)
For example, administrators can enforce restrictions that prevent any modification of eSIM profiles, effectively locking the device to corporate connectivity policies.
In some cases, eSIM profiles are automatically deployed during setup, with no user interaction required.
Common Issues on MDM-Managed Devices
🚫 eSIM Cannot Be Installed
This is often due to MDM restrictions disabling eSIM modification or blocking manual profile installation.
🚫 QR Code Fails with an error or Does Nothing (no error)
Even if the device supports eSIM, the OS may block installation at the policy level.
🚫 eSIM Disappears After Reset/Restart
In supervised or re-enrolled devices, profiles may be wiped or require re-provisioning by IT.
🚫 Data Works but Certain Apps Don’t
This can be due to:
- Corporate VPN or traffic routing
- Firewall or DNS restrictions
- Split tunnelling policies
- MDM app restrictions
Possible Workarounds (Not Guaranteed)
⚠️ Important: These are situational and depend entirely on your organisation’s policies. Policies maybe written but not electronically enforced - We recommend you follow your corporate documentation or reach out to your IT/IT security Team or HR department regarding these policies.
1. ⚡ Use a Secondary (Unmanaged) Device - Easiest, but you need a 2nd phone.
The most reliable workaround is to install your eSIM on a personal device not controlled by MDM. This grants full separation from work and personal use.
2. Check If Dual SIM/eSIM Is Allowed
Some organisations allow a secondary line alongside the corporate profile. Simple case of purchasing an eSIM from airsims.com.au - So long as the phone is compatible.
3. Request Temporary Policy Changes
IT teams can sometimes:
- Enable eSIM modification (install and removal) temporarily.
- Most companies may ask a start date and end date
- We recommend allowing 2 days before and allowing an additional 2 days post trip. This allows testing and factoring possible flight delays coming home.
- Which countries are being visited
- Reason for using an eSIM (depending on employer)
- Most companies may ask a start date and end date
4. Install Before Enrolment
If possible, installing an eSIM before enrolling in MDM may allow it to persist (depending on policies). Downside is removal/deletion of eSIM maybe problematic depending on company policy.
5. Use Wi-Fi + VPN as Backup
In restricted environments, Wi-Fi combined with a VPN can sometimes provide connectivity where cellular profiles are blocked.
Who Should You Speak To?
If you're having trouble using an eSIM on a corporate device, the issue is rarely the eSIM itself.
Start with:
- Your company’s IT or mobility team
- Your MDM administrator
They can confirm:
- Whether eSIM installation is allowed
- If restrictions are in place
- If exceptions can be made
You can also contact airsims.com.au for guidance in the right direction, but they typically cannot override MDM restrictions imposed by your company, as the settings are at the phone, tablet or laptop level.
Final Thoughts: eSIM + MDM Is About Control, Not Compatibility
eSIM technology is flexible, secure, and built for modern connectivity — but in corporate environments, policy always overrides capability.
If something isn’t working, it’s usually not a fault — it’s a deliberate configuration with the company's IT security and compliance at the heart of it.
The good news? With the right understanding (and sometimes a quick chat with IT), most situations can be clarified quickly.
💡 Pro Tip: If you travel frequently, consider keeping a personal device or backup connectivity option — it provides flexibility without conflicting with corporate security policies and you have a physical device in the event any of the devices are bricked or unusable.
---
Created 06-Apr-2026
